How secure are Authlogic passwords?

I'm planning to make the database of a Rails project available for download publicly. This database contains an Authlogic users table, with crypted_password and password_salt fields. How securely are these passwords stored... is it safe to make them available publicly this way? Or should I look at implementing another authentication system such as OpenID which doesn't store the passwords 开发者_JAVA百科in the database?

It's definitely not a good idea to share this, regardless of the level of security and encryption. Even if it were perfectly secure, at a minimum you'll be revealing user data, which doesn't sound like something your users are likely to be happy about. And what if it isn't perfectly secure (far more likely) -- suppose, say, there's a critical weakness in authlogic that hasn't been discovered yet?

Better safe than sorry. Share the rest if you want, but keep your users table and related data under wraps!

I would suggest you remove any fields involving user authentication (emails, passwords, salts and keys, open id urls) from any databases you are planning on sharing, otherwise you could find yourself in a world of pain when someone malicious gets hold of it.

It's definitely not safe to share hashed passwords, maybe you should try splitting your User model into something like UserProfile (user's public information - nickname, location, etc) and UserAccount which you could use for authentication. Then you could probably share everything except the accounts. Or maybe consider implementing some sort of an API which others could use to pull data from your site instead of publishing the whole database.

I think it would be wise to not include the user table in the database you make public regardless of the authentication system that you use. One of the advantages of using authlogic is that you can implement multiple means of authenticating farily painlessly. It doesn't matter if you use traditional registration, OAuth, OpenID, or RPX, all those methods are capable of pulling in personal information outside of a password into your user model. Users probably wouldn't feel happy with DOB/first & last name/location information being made public either.